Middle Earth Ops: Rubberhose Cryptanalysis
by Technomancer3301
Summary: Just a random technical idea that popped into my head. I wrote this as a way of poking fun at all the torture fics involving Legolas. Since one of the primary reasons of torture or as some call it Enhanced Interrogation it to obtain information, I figured why not jot down a scenario in which he in confronted with a system that is designed to prevent people from talking.
1. Chapter 1

DISCLAMER & CITATIONS: J. R. R. Tolken is dead, but he was the one who wrote LOTR so he gets his credit. Darken Rahl is my idea. Marutukku is a program written by the founder of Wikileaks. This writing is protected under Fair Use. Don't like it? TOO BAD, IT'S THE LAW!

FUN FACT: LOTR used to be Public Domain before the Tolken family sued to get it back under copyright. Tragic tale to be honest. *And I thought humans were above this type of petty squabbling. But it seems when monies are involved, culture takes a back seat. Hopefully they are donating to charity like J. K. Rowling is.*

The Technomancer Warrior Darken Rahl has installed the finished Marutukku File System on a computer. The Middle Earth Crypto Munitions Bureau wants to know how effective it will be in the field and asked on their ciphercat operations wiki that a field test be carried out. So Darken Rahl sent the elf prince Legolas out to test the system. He has provided him with a laptop with Marutukku installed on it and encrypted a cache of low level intelligence on it along with Legolas' personal non essential files. He is expecting the test to work perfectly.

This Cryptographically Deniable File System is designed to be resistant to Rubberhose Cryptanalysis, another word for having the keys scraped from their very mouths and other appendages through torture. It is designed so that talking is useless because it would not be possible to tell if you talked or not. All of the classified information at the SECRET all the way up to TOP SECRET SCI is protected by Marutukku. All technomancer operatives must use this to store classified information on personal computers.

In short the entire disk is filled with quantum random data and then the actual data is encrypted and fragmented in their own aspect which is spread evenly across the disk. The Polymorphic Engine is designed to mutate and scramble the fragmented aspects over a random time variant to make surface analysis attacks impossible. Further security measures ensure that the data is not compromised.

So in theory it should not be possible for the orcs nor Legolas himself to determine if he has revealed all of the keys to the disk because of the fact that the scrambled blocks of encrypted data are hidden among random computer garbage. So it should matter not what form of torture that he is subjected to, the intelligence should remain secure and as he continues to reveal keys to non essential files the claim that there are no more keys becomes more valid.

The way the system is also set up is designed to reveal nothing about the disk itself. Each aspect has no information about the others except where to avoid overriding other aspects. The mapping of each aspect is self contained inside itself. However Darken Rahl added an extra layer of security around the Master Key. A security virus that is designed to completely shred the entire disk and file system when the key itself is used to decrypt the disk by a user or attacker.

Weather it be leather whips, daggers, swords, brands, or the rack extraction of information should not be possible.

13371337133713371337133713371337133713371337

Login: #StopWatchingUs!  
>Password: EdwardSn0wdenFTW!11elevendyone<br>ACCESS GRANTED! Sektor 7 Remote Access Client.  
>Anonymous Middle Earth: SECURE CONNECTION: STABLE.<br>Telecomix Middle Earth: SECURE CONNECTION: STABLE.  
>Par:AnoIA Middle Earth: SECURE CONNECTION: STABLE.<br>Guild of Biomancers ME: SECURE CONNECTION: STABLE.  
>Guild of Technomancers ME: SECURE CONNECTION: STABLE.<p>

Telecomix Cipherspace Commline Active: I2P Secure Connection Stable.  
>IRC_SECURE_CHANNEL: CYPHER SECURED<br>WELCOME TO THE FRACTAL CIPHERSPACE!  
>#CipherCat<p>

WAR10CK: Alright I have the Marutukku field test underway.

ELFhash: How is this going to work?

WAR10CK: I sent Legolas to Rivendell to deliver a cache of intelligence to our technomancer asset there. He was given a laptop that he has had for a while now and I helped him install the file system onto it. The intelligence cache has been placed in its own aspect and encrypted.

SabuSaber: Surely there are some other files on the computer that can be used as decoys right? The whole idea of Marutukku is that the classified data can remain safely hidden under duress.

WAR10CK: He has all of his non essential personal files in another aspect along with general computer work files in yet another aspect. Finally he has is entertainment and gaming files in a forth aspect. So he should not have to worry about risking the classified aspect.

ELFhash: Exactly how is he going to test the cryptographic deniability of the system?

CipherCat: Yeah cuz I highly doubt that there are alot of places or people that will use rubberhose attacks to test systems.

WAR10CK: Oh none of us or anyone we know are going to run the test. The orcs that capture him are going to do that part.

SwordMastr: Captured?

WAR10CK: Yes. You see neither he nor anyone who has connections to him know that this is actually a field test. They just think his going to deliver some information to some allies in Rivendell.

SabuSaber: And...

WAR10CK: I accidentally let it slip that Legolas might be delivering some valuable information regarding the orc's master but that I am not sure about it. They should intercept him and drag them down to the black pits black site and have him interrogated. But because of how the FS works those orcs should not be able to prove that there is even encrypted data on this disk.

Konec: They do have some resident technomancers that will analyze the disk for encrypted data. Most likely they will be able to tell that the system is using the program.

WAR10CK: What? Those dumb orcs? They lack even the most basic cryptography skills and their technomancers are stupid! There is no way that they can tell anything.

MirkMoar: You realize that he could die from the torture. That would certainly invoke someone's wrath.

WAR10CK: Don't worry. I am confident that he will make it through the ordeal alive. Besides he is bound to be rescued sooner or later after capture usually days afterwards.

CryptoLocker: Why Legolas?

WAR10CK: Because he has been through much more torture than I have. Believe me I know. Not to mention I am too well known to them to conduct an actual field test with me as the test subject.

Konec: Oh ok.

MirkMoar: You realize this is wrong on so many levels! You are sending an unsuspecting young elf and a noble at that to be tortured half to death in the most depraved and terrible conditions for something that he will never understand.

WAR10CK: Yes I admit that I am but it is necessary for the war against Suaron and his evil plans. Once he can prove that this system works then we can have it approved for field use.

ELFhash: But still surely there is another way besides this right? I mean think about it. How would you like to be essentially handed over to people who will torture you in the most unspeakable of ways without really knowing the true reason for your suffering and possible death?

WAR10CK: I am not going to answer that. Look your derailing tactics are not going to work on me or anyone else here.

ELFhash was kicked from #CipherCat by SabuSaber for the following reason: DERAILING ATTEMPT.

CipherCat: I agree this is not the time to be discussing morality!

ELFhash: I am just saying that you are being very dishonest and rather cruel too.

WAR10CK: Too bad. Life is cruel on Middle Earth. DEAL WITH IT! Besides it is not like I expect him to die with his secrets. He is going to be rescued or escape like usual when he gets captured. It is just that there is a chance that he might not survive. There is a big difference between there being a chance of death and actually dying.

WAR10CK: Also before you say it, yes he might not make it back in one piece and there might be severe and crippling injuries and mutilation. But both the Biomancers and Technomancers have perfected an advanced regeneration technology that is far beyond the capabilities of your healers. If he is maimed in anyway we can repair him.

13371337133713371337133713371337133713371337

TECHNOMANCER ENCRYPTED DATA DECODED KHAZAD-128 CBC

Darken Rahl Personal Log No. 12.915.1

So I sent Legolas over to Rivendell to deliver some intelligence on a laptop that is encrypted with the Rubberhose Proof File System Marutukku. I sent him there because according to the satellite grid there is a contingent of orcs that work for someone in the Mordor Sector. He knows all the keys to the information in the laptop because it is his computer.

Why am I not warning him of the orcs? Because I want him to get captured for interrogation to test the effectiveness of Marutukku. He does not know that this is a field test and that the intelligence is sensitive but unclassified. He only knows what keys hold the intelligence and that those are the keys that must remain hidden. I am too resistant to their type of interrogation and they know me too well.

I made sure that Legolas knows exactly how the Marutukku System works and how it intentionally negates the option to cooperate or "talk". I also made sure that he knows exactly what Rubberhose Cryptanalysis is as well. I told him that this system should ensure that any information that must be delivered to anyone remains secure even from people who would be cowardly enough to choose talking.

Aragorn has been sent to accompany him in the journey but even he does not know that this is a field test because that would potentially compromise the integrity of it. In fact only I and a few other technomancers know that this is actually a field test of a new secure file system. I am keeping Legolas' family and friends out of the loop for fear of compromising the field test. No one else on Middle Earth knows what this delivery is really for.

After all I am pretty sure that no one would knowingly or willingly allow Legolas to be captured and tortured to test the effectiveness of a program. There is a chance that he may be severely crippled and even tortured to death by the orcs but I confidant that he will survive and if he is maimed then he can be repaired. But most likely he will be rescued or escape before it gets to that point. -


	2. Chapter 2

**DISCLAMER & CITATIONS:** J. R. R. Tolken is dead, but he was the one who wrote LOTR so he gets his credit. Darken Rahl is my idea. Marutukku is a program written by the founder of Wikileaks. This writing is protected under Fair Use. Don't like it? TOO BAD, IT'S THE LAW!

**The following was posted onto a Cipherspace Board as the Marutukku Field Test was in progress.**

**Post by WAR10CK:**  
>Marutukku (our rubber-hose proof file system) addresses most of these technical issues, but I'd like to just comment on the best strategy game-theory wise, for the person wielding the "rubber-hose".<p>

In Marutukku the number of encrypted aspects (deniable "virtual" partitions) defaults to 16 (although is theoretically unlimited). As soon as you have over 4 pass-phrases, the excuse "I can't recall" or "there's nothing else there" starts to sound highly plausible.

Ordinarily best strategy for the Orcs is to keep on torturing keys out of Legolas indefinitely till there are no keys left. However, and importantly, in Marutukku, Legolas can never prove that he has handed over the last key. As Legolas hands over more and more keys, the Orcs can make observations like "the keys the elf has divulged correspond to 85% of the bits". However at no point can the Orcs prove that the remaining 15% don't simply pertain to unallocated space, and at no point can Legolas, even if he wants to, divulge keys to 100% of the bits, in order to bring the un-divulged portion down to 0%. An obvious point to make here is that fraction-of-total-data divulged is essentially meaningless, and both parties know it - the launch code aspect may only take up .01% of the total bit-space.

What I find interesting, is how this constraint on Legolas' behavior actually protects him from revealing his own keys, because each party,  
>at the outset can make the following observations:<p>

Orcs: We will never be able to show that the elf has revealed the last of his keys. Further, even if the elf has co-operated fully and has revealed all of his keys, he will not be able to prove it. Therefor, we must assume that at every stage that the elf has kept secret information from us, and continue to torture him, even though he may have revealed the last of his keys. But the whole time we will wonder if is any use continuing the torture because the elf may have co-operated fully. The elf will have realized this though, and so presumably it's going to be very hard to get keys out of him at all.

Legolas: (Having realised the above) I can never prove that I have revealed the last of my keys. In the end I'm bound for continued torture, even if I can buy brief respites by coughing up keys from time to time. Therefor, it would be foolish to divulge my most sensitive keys, because (a) I'll be that much closer to the stage where I have nothing left to divulge at all (it's interesting to note that this seemingly illogical, yet entirely valid argument of Legolas' can protect the most sensitive of Legolas' keys the "whole way though", like a form mathematical induction), and (b) the taste of truly secret information will only serve to make the Orcs come to the view that there is even higher quality information yet to come, re-doubling their torturing efforts to get at it, even if I have revealed all. Therefor, my best strategy would be to (a) reveal no keys at all or (b) depending on the nature of the torturers, and the psychology of the situation, very slowly reveal my "duress" and other low-sensitivity keys.

Legolas certainly isn't in for a very nice time (although he's far more likely to protect his data).

On the individual level, you would have to question whether you might want to be able to prove that, yes, in fact you really have surrendered the last remaining key, at the cost of a far greater likelihood that you will.

It really depends on the nature of your opponents. Are they intelligent enough understand the deniable aspect of the cryptosystem and come up with the above strategy? Determined to the aspect they are willing to invest the time and effort in wresting the last key out of you? Ruthless - do they say "Please", hand you an order, or is it more of a Black Pits affair?

**Post by ELFhash:**  
>But there's more to the story.<p>

Organizations and groups may have quite different strategic goals in terms of key retention vs torture relief to the individuals that comprise them, even if their views are otherwise co-aligned. A simple democratic union of two or more people will exhibit this behavior.

When a member of a group, who uses conventional cryptography to protect group secrets is tortured, they have two choices (1) defecting (by divulging keys) in order to save themselves, at the cost of selling the other individuals in the group down the river or (2) staying loyal, protecting the group and in the process subjugating themselves to continued torture.

With Rubberhose-style deniable cryptography, the benefits to a group member from choosing tactic 1 (defection). are subdued, because they will never be able to convince their interrogators that they have defected. Rational individuals that are `otherwise loyal'" to the group, will realize the minimal gains to be made in choosing defection and choose tactic 2 (loyalty), instead.

Presumably most people in the group do not want to be forced to give up their ability to choose defection. On the other hand, no one in the group wants anyone (other than themselves) in the group to be given the option of defecting against the group (and thus the person making the observation). Provided no individual is certain* they are to be tortured, every individual will support the adoption of a group-wide Rubberhose-style cryptographically deniable crypto-system. This property is communicative, while the individual's desire to be able to choose defection is not. The former every group member wants for every other group member, but not themselves. The latter each group member wants only for themself.

* "certain" is a little misleading. Each individual has a threshold which is not only proportional to the the perceived likely hood of being tortured over ones dislike of it, but also includes the number of individuals in the group, the damage caused by a typical defection to the other members of the group etc. 


	3. Chapter 3

See first chapter for disclamers and such.

LOCATION: Guild of Technomacers Alpha-1 Headquarters, Rivendell, Elven Sector.

Inside the Alpha-1 Research Facility Darken Rahl was working with some of the other technomancers on a new Secure Cryptographic Module for the I2P and Tor Servers because the latest exploit used sorcery to to extract the keys from the older chips. So with this one they are installing Anti-Magic components that will vaporize the chip if any magical energy touches it.

While that is being done one of the others is working on a series of non passphrase based keying methods for authentication and decryption. He is posting the reference code to the cryptoanarchy wiki hosted in an undisclosed location. The following methods are being worked on as in the actual wiki post:

For some time now, the Crypto Munitions Bureau has been working on a cryptographically-deniable block storage device (aka Marutukku), on which regular file-systems can be mounted, targeted at the cipherpunk/activist community. We expect to release a developers code set at the Middle Earth Usenix Conference in the Gondor palace next week.

This is like a regular encrypted disk except that it supports multiple keys, where it is computationally infeasible given some of those keys to show that there are more keys, or that particular blocks of data are being used to store something other than unallocated space. Even for the legitimate user.

This mitigates against coercive interrogations and legal compulsion. Only "safe" information need be revealed. It isn't possible to show that additional information exists. Nor is it possible for the subject of a coercive demand to show that they have revealed all information. Thus a rational coercer can never demand proof of full co-operation, as its provision is computationally infeasible.

We have assorted kernel modules for Linux, NetBSD and FreeBSD. Although these modules are designed to abstract away OS primitives and provide a fast kernel-userland messaging layer so the effort involved in porting to other operating systems is minimised.

However there are ways to protect against coercive interrogations that can be layered on top of cryptographic deniability. Keying schemes can be chosen that have beneficial psychological or psychological properties. These novel keying schemes are often but not always graphical in nature, which has implementation considerations.

At the moment we have a passphrase-based keying feeding into a sophisticated key set up routine (that enforces 1 second of original cpu time per attempted key). However, passphrase based keying is non-optimal under many circumstances that the target group might encounter, because passphrases can be quickly conveyed by speech or writing. That is:

1) Interrogations can take place in the Black Pits and not the computer room. It's nicer, particularly given the frequency of equatorial despotism to be tortured in the computer room.

2) Revealing a passphrase only requires (some of) the brain and jaw or hand to be left functional.

3) Revealing a passphrase is quick and requires few higher cognitive functions, thus it is vulnerable to peak pain, hallucinogens and `truth drugs' such as schopolomine.

4) A single observation of a passphrase is enough grasp the whole keying state. Keyboard sniffers are cheap and in some regions at least, video bugging is not uncommon.

A good keying system prevents revealing of the key, placing the subject of interrogation in a hostile environment (i.e not the computer room), damage to as many parts of the subject's body as possible, retardation of the subjects mental faculties and retardation of the subject's free will. The keying system should also be practical enough to be used and adopted by real life people, and not require expensive or hard to find hardware.

Where a group of co-operating individuals is concerned, keying schemes should discourage defection against the group of individuals being coersively interrogated. Rubberhose cryptographic deniability discourages defection due to the subject's inability to show that they have fully compiled with the interrogation (thus the incentive to defect, or at least defect completely, is minimised), but perhaps novel keying schemes can augment this.

It is important to understand that Marutukku requires keying and not authentication. However any authentication method can be turned into a keying method, provided sufficient information for the authentication isn't held on the "server". For an example, Marutukku could issue n challenges, each of which the user's authentication algorithm authenticates or fails to authenticate; the hash of the concatenated authenticated challenges then forms the key. However schemes like this require n to be greater then or equal to 48, which seems practical only for automated methods, or combined with another method which presents more bits of key entropy per iteration.

Some possible alternatives to passphrase based keying (we have some more notes on these ideas, but no code or concrete design documentation):

1) interactive transposition matrixes. This is a simple method to prevent keyboard immediate keyboard sniffing. The user keeps their passphrase in their head, and a for each letter a transposition matrix is displayed on the screen.

2) Maze walking. A maze with several "landmarks" is drawn on the screen. The user must "visit" and move past these landmarks in a particular order and direction.

3) Enhanced face recognition. Several arrays of faces are displayed. The user must choose the numbers next to each face, perform a simple mathematical operation on them and input the number.

4) Constraint/simile problems. The user is presented with several secret knowledge problems of A is to B as C is to ? in different forms which test areas of cognitive function and or visual function which would be affected by drugs or severe pain.

5) Grid drawing. The user draws shapes withi matrix. The direction of boundary crossing forms the key. For a similar idea, see "Graphical Passwords", a paper presented at last years usenix security symposium.

6) Colour contrast discrimination. It has been shown that individuals see slightly different hues due to visual cortex and cone cell / retina variation. It maybe possible to design moire or other tests on 24 bit displays which are recognisable by one party but not another. Just hope no-one runs a magnet over your monitor.

7) Forward Error Correction based biometric keying. Traditionally signature and individual biometric variation tests have failed to provide good alternatives for keying, for two reasons. 1) the bio-authorisation template is "secret", hence useless for something like Marutukku, where *all* secrecy is derived from the key. 2) quantitisation by the template of the inherent analog variability in the biological source in order to match with the template dramatically reduces the keyspace. A FEC based approach may resolve these issues.

Our current designs for plugable keying mechanims, simply introduce saved state on stdin and expect output state (which is subsequently hashed to form the key) on stdout.

As novel keying methods are an intresting problem that requires lateral thinking rather than specialist cryptographic expertise, I thought it may be of interest to ocaml coders in general.


	4. Chapter 4

TECHNOMANCER ENCRYPTED DATA DECODED: KHAZAD-128 CBC

Our Field Test of the Marutukku Deniable Encrypted File System was a huge success! Legolas on the other hand... well... he... he is damaged far beyond any of our healers capabilities. I almost did not recognize him except for the fact that he arrived at Rivendell in the hands of Aragorn but like a maimed corpse. Most of his body is dismembered and mutilated beyond recognition.

There is no skin on his body and many of his organs and bones have been severely damaged. His limbs were missing. They were found on a torture rack still attached to the chains. Had his wounds not been cauterized he might have died. But even then I am truly surprised that he is still alive. Most people would have died long before the damage got this bad. He only had time to say that "Those foul orcs did not get anything out of him." before losing consciousness.

I mean... we were expecting for him to be tortured but... not like this. I had no idea that the orcs could be this excessively cruel or brutal. This is beyond even most lesser demons. I will get on IRC and ask them what the hell happened. I have a contact in the Black Pits who has power over the torturers there. He sort of knew that there was going to be a test of a new system and that all he had to do was try to get Legolas to reveal his keys by any means.

We will have to perform major regenerative work on him. Something that is beyond all standard regenerative treatments. There is only three facilities on Middle Earth that have the capabilities to repair him. The nearest one is in The Hacker Shelter which is based in Rivendell. THANK GOD! So we will have to run him through the highly experimental Stem-Cell enhanced Bacta Tank Treatment.

This treatment should take 24-48 hours depending on the full extent of the damage done which we have yet to establish because it is so massive. His severed limbs are too rotted to re attach so we will have to regenerate his limbs from scratch. That will require 24 hours to complete for each limb.

I believe we should continue to keep his father out of the loop or at least until he can be recognized. It turned out that the elf was close to death and so the orcs let him go because he was practically dead. Aragorn was the one who helped him get to Rivendell.

But as for the field test, we can present the results to the Usenix Conference with pride. Don't worry about Legolas. He will be in good hands with the biomancers in Alpha-1. -


	5. Chapter 5

LOCATION: Gondor, Human Sector.

Deep in the underground dungeons Darken Rahl was being chained up for the whip. His orc friends were preparing him for the lash that would rend his back to shreds. Aragorn waited with the coiled whip in hand as they finished securing him.

"Hold on, don't you have a briefing at the Usenix Conference regarding your TCMB's Marutukku File System?" Aragorn asked him.

"Yes. Why do you ask?" replied Rahl.

"Well you are scheduled to begin in 2 hours. Shouldn't you be with the bureau working on finalising the presentation back up there?" the former ranger asked.

"They are doing just fine without me. Besides I told them that I had some important things to take care of that are of a personal nature." the technomancer said as his arms were stretched out by the chains. The orcs began to feel his broad muscular back and determined that it was ripe for the whip. They gave the human the all clear and he stepped up to the technomancer and let the whip uncoil.

"Hold on a second. The Stewerd just texted me. He needs me to look at something for him." The ranger said as he handed the whip to one of the orcs.

"Alright. Whatever." Rahl said as the ranger headed upstairs.

"Ok then, it's the daggers and swords" he said to the orcs who drew them from their sheaths. They began to slowly cut the skin and bleed the technomancer and carve things into the body.

MEANWHILE ABOVE AT THE PALACE...

The Telecomix Middle Earth agents are working with finalising the presentation for the Marutukku File System. Some of them are wondering where Darken Rahl is.

"Hey, any idea where Darken Rahl is?" CryptoPhile asked.

"He said that he is taking care of a personal matter right now. But he said that he will be back before the presentation." ELFhash said.

"I heard that he is actually being tortured for his own pleasure." said Cryptoanarchist007

Several minutes later Darken Rahl appeared and there were multiple things carved into his bleeding skin. Things such as "Live Free or Die", "Crypto Anarchy FTW", "We Come In Peace", "We are from the outernet".

"Hello guys I'm back. So are we ready for the presentation?" Darken Rahl asked.

"Yes and you got here just in time because we are up in 5." CryptoPhile said.

LOCATION: Annual Middle Earth Usenix Conference, Gondor Palace, Human Sector.

Darken Rahl and the Telecomix Agents appeared in the Great Hall where an audience of Elves, Dwarves, Orcs, and Humans have already gathered to watch the presentation. They set up their equipment and Darken Rahl began to speak.

"Good day people of Middle Earth, I certainly hope you have been enjoying yourself at the conference. My name is Agent WAR10CK and we are here on behalf of the Middle Earth Crypto Munitions Bureau." he said as the projector was finished being set up. A elaborate slide show created in Flash was displayed. The animations very fancy.

"For quite sometime now we at the Crypto Munitions Bureau have been working on a Cryptographically Deniable Block Storage Program that regular File Systems can be mounted on. If you have access to the Cipher Cat Operations Wiki and have been following it actively you will already know that this system is known as Marutukku. Marutukku is an ultra secure file system designed for the clandestine/activist community but anyone can use it. It is designed to be resistant to Rubberhose Cryptanalysis AKA Rubberhose Attacks.

Now what is Rubberhose Cryptanalysis you might ask? Well unlike regular crypto-analytical attacks that go after the ciphertext itself, this method of attack targets the person who has the keys to the code. Usually by using a rubberhose or in this case," Darken Rahl produces a coiled leather whip stained with blood.

"Something like this." he said.

"Yes in a Rubberhose Attack the encryption keys are tortured out of the person. Now when being tortured the victim has two options. One: To talk or Two: To remain silent. Marutukku is designed to negate the option of talking. It does not stop the person from talking but it makes the option to talk not worth it. Now I know some of you are skeptical and this is why we are here to give this presentation. So let's go over how the system works. You can also find this in the documentation included with the program as well.

First the program overwrites the entire disk with quantum random or crypto secure pseudo random data. This is done multiple times with 7 being the minimum. This will essentially erase all data on the drive so make sure you do not have anything important on it before installing it. Now this is an important part of the process as this random junk will serve to conceal the ciphertext that will soon be placed on the disk. Marutukku supports multiple encryption keys in layers." he explained as the slide show animates the process.

When you first set up the program you tell it how you want the disk to be divided up. You can have up to 16 Marutukku Deniable partitions though theoretically you can have an unlimited number of them. Now unlike traditional partitions which cordon off a part of the disk Marutukku is a dynamic disk file system in which the space is first come first serve." The next slide a diagram of the disk.

"So let's say you have a 1GB hard drive and you want to fill it with two Marutukku partitions, one that is 400 MB and another that is 200 MB." The slide show shows the two partitions being created with a different color and labelled accordingly.

"However Marutukku does not know that you want to divide the disk in this way. Rather it assumes that you want to have two partitions that are both 1 GB in size and thus fill the whole drive." he continued as the animation shows how the program see the partitions.

Suddenly an elf raises his hand and Rahl calls on him.

"Yes sir. What is your question?" he said

"If the program assumes that both partitions will be the size of the disk, then how would it know where data is to avoid overwriting it?" asked the elf.

"This is a part of the deniability nature of the program but more importantly this enables it to write the data in a very special way. But there is a special way that Marutukku knows where each partition is without revealing that it knows. I will get to that shortly." Rahl responded.

"So I can simply decrypt a partition and write only to it?" asked a dwarf.

"Actually no. You will have to decrypt all the partitions to safely write to the drive or else you will risk overwriting others and there is a reason for this that I will explain shortly." said Rahl.

"So the special way that it writes these partitions to the disk. It intentionally fragments each encrypted partition by randomly spreading the blocks of data evenly across the disk. So it will break up the 400 MB partition into tiny fragments and scatter them across the drive." Rahl continued as an animation showed the first partition being fragmented across the disk.

"This is done so that an adversary cannot track the bits and reconstruct the partition. So when you decrypt the 400 MB partition it will look like the disk is 1 GB in size with 600 MB of free space left. This is how Marutukku hides the existence of data in the drive." The animation highlights the 400 MB partition fragments and shows how difficult it is to map them out and how the drive will look to an attacker.

"Now we make the second 200 MB partition and again Marutukku fragments it and scatters the pieces randomly across the entire drive while making sure that it does not overwrite the first 400 MB one." The second partition now appears in the diagram and is fragmented across the drive mixing with the first one.

"Now since Marutukku scatters and fragments each partition across the drive we have decided to call each one an "Aspect" rather then a partition or level. Each Marutukku aspect has its own passphrase and must be decrypted separately. The entire Marutukku drive is called an "Extent". Now idea of using the word aspect is this: Think of it as viewing the same object from different angles where each angle is a different aspect of the whole extent.

Like I said before Marutukku allows you to create as many aspects you need to in a single extent and because of the way data is written by the program, it is impossible for an attacker to tell either by mathematical analysis or physical testing of the drive to see how many aspects are on it or for that matter if there is even any encrypted data on the drive at all.

Now this is how Marutukku knows where each aspect is located on the disk to answer our elf's question. The program relies on internal maps to know where the aspects are located. Each aspect has its own internal mapping which is encrypted with it. You can only decrypt each aspect's map by decrypting the aspect itself. This is also why to answer our dwarf's question, you have to decrypt all the aspects before you can safely write to the drive. Also the program will not warn you of overwriting data.

Now because people are most likely reverse engineering this program and testing it extensively, the core principle behind the way Marutukku hides the aspects and their maps is on a strictly need-to-know basis. Meaning that each aspect is SCI. SCI stands for Special Compartmentalized Intelligence which is a special condition that is attached to classified information meaning that the information is available on a need-to-know basis regardless of your security clearance. One aspect knows nothing about any other aspect, its sizes, its mappings, of for that matter even its existence. In fact as a security measure Marutukku does not actually even give any one aspect any piece of real estate on the disk until you start writing to it. Then it assigns each new piece of that aspect dynamically. This instant generation reduces the risk of analysis by an enemy and also allows for the information hiding function of Marutukku.

Marutukku does not need to know any of the other aspect's maps to read from only one. So if you decrypt only one aspect, its map is the only one the program can read. All the other aspects and their maps remain safely encrypted." Rahl continued to explain. The next slide is then displayed.

"Marutukku is designed for storing classified information at the TOP SECRET SCI level provided that it is used in an Approved TCMB Hardware Security Module. So only the best and most secure cryptographic algorithms are used in the program. Here is a brief list of the ones you can use by default:

These Block Ciphers can all be used in the following modes of operation: CBC, and ECB.  
>The Disk Encryption Modes are as follows: CBC, CBC-ESSIV, LRW, XEX, XTS, CMC, and EME.<br>Rjindael-256 Bit also known as AES or Advanced Encryption Standard 256  
>Blowfish-448<br>Twofish-256  
>Threefish-1024<br>Khufu & Khafre-512  
>Khazad-128<br>Serpent-256  
>Lucifer-128<br>DF_PMC-1024_BCM  
>Anubis-256<br>LOKI97-256  
>Ciphersaber-256<br>CAST-256

CBC stands for Cipher Block Chaining mode.  
>CBC-ESSIV stands for Cipher Block Chaining-Encrypted Salt-Sector Initialization Vector mode. This is more secure then CBC alone.<br>LRW stands for Liskov, Rivest, and Wagner mode.  
>XEX stands for Xor-Encrypt-Xor mode.<br>XTS stands for XEX-based Tweaked-codebook mode with ciphertext Stealing mode.  
>CMC stands for CBC-Mask-CBC mode.<br>EME stands for ECB-Mask-ECB mode.  
>ECB stands for Electronic Code Book mode. Note that all ciphers are set to CBC-ESSIV mode by default and that ECB mode is extremely insecure and thus should not be used. XTS mode is standardized but still cryptographically weak. But because Marutukku is not a Full Disk Encryption program there should be nothing to worry about.<p>

The Stream Ciphers that can be used are as follows:  
>Dragon-256<br>DF_PMC-1024_SCM  
>Ciphersaber-256<br>X-ALPHA-1024

The Cryptographic Hash Functions that can be used are as follows:  
>Tiger<br>Tiger2  
>SHA-512<br>SHA3-256 and 512  
>Whirlpool-512<br>Snafru-512

These are the strongest cryptographic algorithms approved by the TCMB." Rahl rambled on as the next slide is now displayed.

"Marutukku is compatible with all disk file system formats including: UFS, ext2fs, FAT, and FAT32 etc. HOWEVER it is not advisable to use a log-structured file system with Marutukku. This will be explained shortly." he said as the next slides are shown.

"There are some very specific security features that Marutukku has that can further secure your data. One of them is a Time-Based Passphrase:

Marutukku has the ability to set time based keys. This is so that people cannot access your data while you are away from the computer. So you can set the system so that Marutukku can require you to re enter the key after one hour of use or any other length of time. This means that if your as of yet unpaid sellsword bursts through your door and ties you up for 50 minutes on the hour, he will only have 10 minutes to extract all of your classified information before Marutukku demands the key and cuts him off.

YOUR SESSION HAS EXPIRED! ENTER THE KEY TO START A NEW SESSION!

You can also set it to lock down after a certain amount of idle time. So if this means that if you have a feast to attend to and a 5 minute social visit turns into an extended feeding fest your data will not be exposed for attack for very long.

Next is the anti-passphrase cracking features.

Marutukku is extremely resistant to dictionary attacks. Every time you generate a new aspect the program generates an internal master key. You will never see this key. Not like it would matter anyway because it is really long, randomly generated, and consists of raw binary data which shows up as ASCII code aka Machine Code which is not human readable. Like this:

6ï¿½ï¿½qï¿½Bï¿½ ï¿½xï¿½" ï¿½Hï¿½ ï¿½oï¿½{ï¿½CNï¿½ï¿½ Rï¿½;Þ"

Marutukku then encrypts this internal master key with key you give the program for that particular aspect. The internal master key stays the same for the life of the aspect, but you can change your key for that aspect as many times as you like.

By default, when you create a new Marutukku key, the program loops for a period of time re-encrypting the first output into the second, and then the second into the third, etc. Each subsequent encryption output is fed back into the next round of encryption. This makes attacks based on guessing the key extremely difficult, as the attacker must test each guess through the entire loop." the technomancer explained. One of the more intelligent orcs asked a question.

"Is this looping the so-called Cipher Block Chaining mode of operation?" it asked.

"Exactly. This is how CBC mode works and is why it is so secure. However it is also very unstable too. If there is even a single bit that is wrong in the ciphertext then the decryption will fail." Rahl replied as he continued the presentation.

"You can set the looping time to your own preference in Marutukku each time you first open the program. Longer times mean it will take slightly longer to decrypt an aspect every time you open it, but the data will be more secure. For example a two second loop time setting run on an Intel Celeron 386 means Marutukku will do 157000 rounds of encryption for the CAST Cipher. The only way for an attacker to return the original master key is to reverse the process, feeding the output of the last decryption into the input of the next decryption through about 157000 rounds. This of course depends on the speed of the cipher selected.

Now this salted internal master aspect key unlocks everything in that aspect, including the map of where the bits of data are located across the drive and the ability to actually decrypt the data. Because this key is a point of vulnerability we have designed multiple safeguards around that key. It could even be said that the master key does not touch anything else in the program directly. There is always a counter measure protecting it." said Darken Rahl as the next set of slides is run. Legolas who has been fully healed of all his wounds asks a question.

"Mr. Rahl, I was on the cipher cat wiki and I heard about something called the Polymorphic Engine. What is that?" it asked.

"As a matter of fact I was just about to discuss that." he said.

"Yes the next set of security measures are designed to thwart Disk Surface Analysis Attacks and our friend Legolas here just mentioned it. The Marutukku Polymorphic Engine and the Marutukku Password-Based Key Derivation Function. You see there are several well known attacks on encrypted data by examining the surface of the disks themselves. Marutukku is designed to defend against these attacks including the ones involving scanning electron microscopes.

The program uses methods to ensure that even if an attacker manages to successfully crack one of the many tiny fragments of encrypted data, it will in no way at all help them in cracking any of the other fragments nor even piece together all the data from an entire aspect. The Middle Earth Crypto Munitions Bureau routinely publishes papers on cryptanalytical attacks and thus has designed the program to be immune to all the latest attacks of this type.

This is done with the Marutukku Password-Based Key Derivation Function or PBKDF for short. The PBKDF uses the strongest crypto secure random number generators to create a lattice generator for each aspect. This lattice is encrypted with the aspect's master key and can only be decrypted by it. This is used to generate the unique encryption and decryption keys for each individual fragment of that aspect. Specifically it uses a mathematical algorithm, a modified version of scrypt to be more specific, to transmute a fragment number let's say 64 into a key for that fragment. Marutukku then puts these fragments into its own larger fragments.

There are two types of fragments or blocks in a Marutukku encrypted drive: an Operating System or OS Block which is usually 512 bytes minimum and 8192 bytes maximum in size. The other is a Marutukku Surface Block which is usually congruent with an OS Block Size but not always. These are scattered across the drive in a truly random non-deterministic manner not a pseudo random manner. You can configure the size of the Surface Blocks to your need when you initialize Marutukku on your hard drive. Setting Marutukku to create many smaller Surface Blocks is potentially more secure then choosing larger block sizes although doing so will make the blocks take longer to generate. For TOP SECRET SCI data the maximum allowable block size is 64 bytes.

This program is implemented in such a way so that cracking one of the blocks will, like I said earlier not help an attacker in cracking the next one. More importantly is is virtually impossible to discover any statistical inter-relationships between large numbers of blocks even if the block cipher algorithm is weak and the whitener is cracked. This whitener will be explained later." The next set of slides starts to display a diagram of the aspects.

"Now each Aspect is a "view", or map of these blocks. However when you examine Aspect 1, it appears to view all of the disk as belonging to it. Similarly Aspect 2 would also view all of the blocks as its own. An enemy examining Aspect 1 would only see some used and unused blocks within that single aspect. But some of those "unused" blocks might actually belong to Aspect 2 though Aspect 1 cannot tell this so the enemy would not be able to tell either." The slides play the animation showing how the blocks are hidden and how an enemy cannot tell which ones belong to which aspect.

"Now here is where the Marutukku Polymorphic Engine (MPE) plays its role. The MPE continually mutates the disk layout and scrambles the blocks over a random time variant to thwart surface analysis based on the intensity of block use and contiguous block prediction. In theory an enemy can examine the magnetic properties of the ferrite coating on the disk surface and determine how frequently a program has read or written to a particular section of the drive. This would normally allow the enemy to guess if a particular geographic area on the disk is blank ie filled with random noise or contains hidden data.

So if an attacker can decrypt and only decrypt Aspect 1 and no other, he can overlay a map of frequently used drive sections on Aspect 1's data map showing used and unused sections. If he sees an unused section that has been accessed for reading and writing very frequently, he can guess that there is more likely then not, hidden material stored there from another aspect.

To prevent this sort of analysis, the Marutukku Polymorphic Engine automatically mutates the block layouts and scrambles blocks of data around to new locations with a frequency you can set. However a random time variant is also used on top of that. It does this regularly but invisibly so this mutation does not interfere with your work in progress. The background mutation occurs when Marutukku is open with write capability even when your machine is idle. The results in no single region of the disk looking anymore used then any other part of it in a statistically significant fashion." The animation shows the mutation of the fragments on the drive.

"Further, this bock mutation reduces the risk of contiguous block analysis. If an attacker decrypts Aspect 1 and finds all the data written to a contiguous block on the drive, then he can reasonably guess that the block next to it contains data from Aspect 2. By mutating the block layout, Marutukku avoids the predictability of this tidy, block assignment." Rahl finished explaining. Now onto the next part of presentation.

"The final thing I will talk about in regards to the security of Marutukku is the safeguards against cryptanalytic attacks such as Known Plaintext Attacks and the like. Marutukku contains the "whitening code" I mentioned earlier. This is another countermeasure designed to thwart cryptanalysis attacks, particularly "Known Plaintext Attacks". Now what is a Known Plaintext Attack?

A Known Plaintext Attack is pretty much described in its name. It is basically an attack where you know some or all of the decrypted data and can use it to rebuild the key or the rest of the message. The whitening code is made out of random bits. This is also known as a SALT value and is used to make sure the ciphertext does not match the plaintext directly. It perturbs the encryption process in a non-predictable manner.

Marutuku merges this whitener and the decrypted data from the data blocks in order to change them slightly. Specifically the whitener flips a corresponding bit in the data block. Any bit in the whitener which is a 1 will flip a corresponding bit in the decrypted data block. Any 0 means hold or don't flip. Here is a truth table that shows how bits are changed:

Whitener Bit + Data Bit = Result Bit  
>1 + 1 = 0<br>1 + 0 = 1  
>0 + 0 = 0<br>0 + 1 = 1

This process is known an XOR or eXclusive OR operation and is a common and basic logical Bitwise Operation which simply means that the operation is done on one bit at a time. It is used in many functions besides cryptography.

This prevents Known Plaintext Attacks because now you have some bits in the decrypted data block that are flipped and some are not. So now you have no plaintext that directly translatable into the ciphertext itself.

Now whitener in vulnerable in that if you crack the whitener for any one block then you have probably cracked it for all blocks. But there are other countermeasures built in specifically for problems like this. Such as separate keys for each individual block which severely limits the success of such an attack."

"Some of the possible scenarios for Marutukku to be used are a follows:  
>Aragorn, a ranger, has three types of data on his computer. His personal files, his scouting related files, and a series of files detailing the defenses of the Mordor Sector. The personal files and to a lesser extent, the scouting files are his cover. They provide decoy data for the more classified defense layouts.<p>

When traveling back to Gondor a group of orcs intercept and capture him and his computer. The technomancers at Barad-dÃ»r examine his machine and find that the hard drive is encrypted. They demand the key from Aragorn who is now in the Black Pits being interrogated/tortured to decrypt the data. Aragorn gives them a key. They decrypt the data and discover a bunch of personal files. They poke around the drive but cannot see any other encrypted data, because there is possible way to show the existence of any other data hidden among the personal files. They are frustrated and angry but cannot get any more keys because he says are no more keys. There is no way for the torturers or Aragorn himself to prove he has handed over all of the keys.

Finally after several more hours of brutal and savage torture they finally decided to let him go. They send the mangled ranger back home not knowing that the scouting files or the defense files are on the machine.

Another possible scenario is that Frodo has been discovered to be on a secret Hit List and needs to be extracted to a secure location. He is given a floppy disk with 5 passphrases in which protect a list of safe houses that are secured. Frodo decodes the first location with his key and heads there. Then the person there decodes the next location with his own key.

This continues until the final safe house outside of the border is reached in which the last location which is the secure site is decoded by the final safe house. So at anytime if the disk is intercepted or any of the people who have a key to the disk cannot reveal the location of anyone else. Only after Frodo is safely across the border will the entire list be known.

This can also be a way to securely pass information to a person with a cryptographically secure chain of custody."

"Now for the self-destruct feature: Marutukku can be set up so that any particular aspect can be securely erased if need be. This is done with a function designed to cryptographically erase the master key of the aspect rendering the data on that aspect impossible to decode ever again. The programs compartmentalized nature ensures that once the master key to an aspect is destroyed then Marutukku would no longer even know that it has been destroyed or not.

If you tried to enter the passphrase for that aspect again Marutukku would just say that the key is invalid and nothing could tell you otherwise. Further more this allows you to safely overwrite any existing encrypted data from the now disabled aspect with data from another aspect.

The erase procedure is extremely simple. You run the command that starts it and you enter passphrase of the aspect you wish to delete. This will then decrypt that aspect's master key and maps then overwrite the master key 7 times minimum with random data and then do the same with the mapping tables. This ensures that the data is impossible to decrypt ever again. You can even set a Nuke Key for an aspect that will automatically wipe it when entered. However if the Orcs see that you have given them a key that destroyed the data they are looking for they might torture you to death as punishment. So be careful about that." Darken Rahl finished.


End file.
